Add permissions block and actions analysis #3927
Conversation
There was a problem hiding this comment.
PR Overview
This PR adds a new ESLint configuration file for the ql-vscode extension and updates several GitHub workflow files to include explicit permissions settings.
- Introduces an ESLint config file with multiple environments and parser settings.
- Updates several GitHub workflows to explicitly define minimal permissions for improved security and compliance.
Changes
| File | Description |
|---|---|
| extensions/ql-vscode/eslint.config.js | New ESLint configuration providing rules, plugins, and settings for various file types and directories. |
| .github/workflows/codeql.yml | Adds a matrix strategy for CodeQL analysis and updates language inputs. |
| .github/workflows/cli-test.yml | Updates CLI test workflows to include required permissions. |
| .github/workflows/release.yml | Modifies release workflows to include explicit permissions for build and release steps. |
| .github/workflows/main.yml | Sets minimal permissions on the main workflow. |
| .github/workflows/label-issue.yml | Adds permission for issues to be written for labeling. |
| .github/workflows/e2e-tests.yml | Introduces explicit permissions in the e2e tests workflow. |
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Comments suppressed due to low confidence (1)
extensions/ql-vscode/eslint.config.js:5
- There is an unintended trailing space in the '.tsx ' file extension, which could lead to file matching issues. Please remove the extra space.
files: [".js", ".ts", ".tsx "],
Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
This change does two things. If it is complicated to review I will split up. First, this ensures that all workflows have minimal permissions blocks. Second, this adds actions analysis.
aeisenberg
force-pushed
the
aeisenberg/add-permissions-actions
branch
from
323aa3e to
acc46ce
Compare
| @@ -17,6 +17,8 @@ jobs: | |||
| find-nightly: | |||
There was a problem hiding this comment.
Should we set permissions: {} on the top-level so any new jobs that are defined won't get permission by default? Alternatively, we could also set permissions: { contents: read } at the workflow-level and keep the permissions block on the report-failure job.
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Same here, should we set this as the workflow level?
This change does two things. If it is complicated to review I will split up.
First, this ensures that all workflows have minimal permissions blocks. Second, this adds actions analysis.
A little bit of extra security hardening.